Analyzing data in Autopsy uses the following workflow:
- Create a Case: A case is a container for one or more data sources. One must be created before data is analyzed. See Cases for more details.
- Adding a Data Source: One or more data sources are added to the case. Data sources include disk images and local files. See Data Sources for more details.
- Analyze with Ingest Modules: After the data source is added, ingest modules operate in the background to analyze the data. Results are posted to the interface in real time and provide alerts as necessary. Example ingest modules include hash calculation and lookup, keyword searching, and web artifact extraction. 3rd-party modules can be developed and added to the pipelines. See Ingest Modules.
- Manual Analysis: The user navigates the interface, file contents, and ingest module results to identify the evidence. Interesting items can be tagged for later reporting and analysis.
- Report Generation: The user initiates a final report based on selected tags or results.